SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

TOP OF THE NEWS

22 October 2002 DDoS Attack Targets The Core of The Internet

The thirteen root name servers, effectively the master directory for the Internet, were subjected to a large-scale distributed denial of service attack on Monday evening. According to Internet Software Consortium Inc. Chairman Paul Vixie, only four withstood the attack. Redundancy designed into the Internet in the system allowed most traffic to get to its intended destination without delay. -http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html[Editor's Note (Paller): The only way to stop such attacks is to fix the vulnerabilities on the machines that would ultimately get taken over and used to launch the attacks. There's no defense once the machines are under the attacker's control. If organizations have not established vulnerability identification and remediation program for all their systems - even the "unimportant" ones - it won't be long before their foot dragging will subject them to economic liability and community contempt for their negligence. ]

21 October 2002 Cytron Trojan

A Trojan horse program called Cytron is actually a browser plug-in that serves pop-up advertisements for pornographic web sites. Users are led to believe they are downloading an e-card viewer plug-in for an on-line greeting they've received, but what gets downloaded is actually Cytron, which has a valid certificate. The Trojan is named for the Canadian company that operates most of the sites on the pop-up ads. -http://online.securityfocus.com/news/1350[Editor's Note (Schultz): What next? This latest threat once again highlights the importance of user awareness in preventing undesirable outcomes. (Murray) Enterprises should be blocking such plug-ins at the network gateway. I doubt that one can get it from AOL. ]

18 October 2002 Cisco Catalyst LAN Switch Vulnerability

Some Cisco Catalyst LAN switches are vulnerable to buffer overflow attacks that could result in a denial of service. Switches running CatOS versions 5.4 to 7.3, inclusive, and which have "cv" in their image names are affected. Users are encouraged to upgrade their software or employ a workaround, which entails disabling HTTP on vulnerable switches. -http://www.theregister.co.uk/content/55/27690.html

Speaking on a panel at the USENIX Security Symposium, Microsoft Palladium project manager Peter Biddle said the technology was designed to protect entertainment content and he didn't see how it could be used to enforce software licensing. Fellow panelist Lucky Green wasn't so sure; shortly after the conference he applied for two patents for techniques for using Palladium for just that purpose. -http://www.wired.com/news/technology/0,1282,55807,00.html

17 October 2002 ElcomSoft Trial Delayed

A trial in which a Russian software company is being charged with violating the controversial Digital Millennium Copyright Act (DMCA) has been delayed 6 and one half weeks because officials at the US embassy in Russia have denied visas to key witnesses. One of the witnesses, programmer Dmitry Sklyarov, was arrested in August 2001 after giving a presentation about software that circumvents e-book cop protection at a conference in Las Vegas. ElcomSoft's attorney plans to file a motion to dismiss the case because his clients aren't able to testify. -http://news.com.com/2100-1023-962491.html

16 October 2002 Clarke: No Tax Credits for Cyber Security Measures

Richard Clarke says the Bush administration is unlikely to give tax credits to companies that employ cyber security measures; companies should be doing so of their own initiative. He also said that the government should not regulate cyber security; the government should instead encourage security awareness and information sharing and stimulate research. -http://www.cio.com/research/security/edit/101602_clarke.html[Editor's Note (Schultz): Ideally, the US government should regulate industry, given that industry comprises so much of the national infrastructure. But the government has trouble regulating itself in the first place--how could it possibly regulate industry? ]

16 October 2002 UK Businesses need to Address Cybersecurity

British e-commerce minister Stephen Timms expressed concern that only 27% of businesses in the UK have IT security policies; that figure was published in a PricewaterhouseCoopers report, and marks a 100% increase over last year's numbers. The report also asserts that infections from malware and cyber attacks cost UK businesses billions of pounds last year. The UK government wants businesses to make IT security a priority. -http://news.zdnet.co.uk/story/0,,t274-s2123998,00.html[Editor's Note (Murray): The correct measure is not the percentage of enterprises that have an IT security policy but what percentage of enterprises that have any policy at all have an IT security policy. Most small enterprises rely upon culture rather than written policies. ]

16 October 2002 UK Corporate Group to Work with Law Enforcement

The UK's Corporate IT Forum has established a security group that hopes to work with the government on cybercrime prosecution. The group will allow companies to preserve proprietary information and protect their reputations by not making them go public with intrusion incident information. The group would like to work with the National High Tech Crime Unit (NHTCU), which is eager to create partnerships with such organizations. -http://www.vnunet.com/News/1135990

16 October 2002 Symantec Firewall Vulnerability

A security flaw in the web proxy component of Symantec's firewall technology leaves more than a dozen of the company's products vulnerable to a denial of service attack. Symantec customers were notified of the problem at the end of September, and the company has issued a bulletin and patches for affected products. The Danish company that issued an advisory about the problem issued a second advisory about an information leak in Symantec's web server that could let crackers discern host addresses behind firewalls. Symantec has known about the problem since 2001 and has issued a patch. -http://www.infoworld.com/articles/hn/xml/02/10/16/021016hnsymantec.xml?s=IDGNS

16 October 2002 e-Shoppers Concerned About Security

A survey of Internet consumers indicates that people are apprehensive about the security of their credit card and other personal information when making on line purchases. Only 21.2% of those surveyed believed their information was secure. This lack of confidence could be detrimental to the growth of e-commerce. -http://www.msnbc.com/news/821649.asp?0dm=C237T

The Financial Services Information Sharing and Analysis Center (ISAC) has signed an agreement with the FBI's National Infrastructure Protection Center (NIPC) that says they will communicate with each other on a weekly basis about cyber security threats. While the agreement indicates a shift in thinking for the private sector, companies are still wary of sharing certain information until they can be assured that it will not be accessible under the Freedom of Information Act (FOIA). This article also addresses concerns many private companies have about sharing cyber incident information, including the fear of information being made public and of computers being taken away. -http://www.cio.com/archive/101502/fear.html

15 October 2002 ATM Fraudster Draws Jail Time

A German man whose encryption scheme for ATMs was deemed too expensive instead turned to fraud, creating and using phony debit and credit cards to make withdrawals. The seventy-one-year-old was caught and sentenced to nearly five years in jail. -http://www.theregister.co.uk/content/55/27610.html

14 October 2002 Freeh Still Supports Encryption Restrictions

Former FBI director Louis Freeh has long favored stringent restrictions on encryption tools, including export restrictions and the inclusion of back doors so federal officials could access encrypted documents in criminal cases, but US policy went in the other direction, allowing the export of strong encryption products without backdoors. Freeh spoke to the Senate intelligence committee, pointing to the UK's Regulation of Investigatory Powers (RIP) Act which allows law enforcement officials to demand encryption keys for intercepted data, and provides for jail time for those who do not comply. -http://zdnet.com.com/2100-1104-961969.html

14 October 2002 FBI to Open Cyber Forensics Lab in CA

The FBI is establishing a Regional Computer Forensics Laboratory in Menlo Park, CA. The lab is expected to open next year; investigators will be able to bring seized digital equipment to a team of specialists for analysis to gather evidence in criminal investigations. -http://www.bayarea.com/mld/bayarea/4284974.htm

Instead of examining encrypted and unencrypted versions of a message to try to discern encryption keys, side channel attacks scrutinize processing time and power consumption. The head of RSA Laboratories says the growing presence of side channel attacks is causing a change in the way encryption software is written. New software may, for example, vary the amount of time it takes to perform specific functions. -http://www.vnunet.com/News/1135796

SECURITY TRAINING NEWS

Featuring the eight highest rated teachers in the security field. If you can attend only one conference this winter, try to get a place in the courses in San Francisco. Also features a free, evening step-by-step program for implementing a Top 20 vulnerability remediation program.. San Francisco is often warmer and less crowded in December than in August. See: -http://www.sans.org for details on San Francisco and other programs